Configuration Manager and OSD with a side of PowerShell

Menu

How to install a Win10 SSU before the LCU using Configuration Manager

If you are involved in patching Windows 10 systems, then you might be familiar with the Servicing Stack Update (SSU) dilemma that has been going on in the Configuration Manager (or SCCM as some like to call it) world lately. If you read the notes at the bottom of a KB for any of the cumulative updates you will see the following:

Microsoft strongly recommends you install the latest servicing stack update (SSU) for your operating system before installing the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU. For more information, see Servicing stack updates

Now, if you are getting updates via Microsoft Update, then you have nothing to worry about as MU knows to sequence the SSU before the LCU. However, if you are deploying updates with Configuration Manager, it uses WSUS and cannot (currently) handle the sequencing the SSU before the LCU. So what is a ConfigMgr admin to do? Simple – it involves a little pixie dust (who doesn’t like pixie dust?), configuration items, collections and deployments. You see, I got this crazy idea as I was watching my Twitter feed and internal emails going back and forth on how to handle this issue. It was a relatively peaceful afternoon and I had decided to configure some CIs and Baselines to enable and configure BranchCache when I had a light bulb moment. So be sure to thank the 2Pint Software guys for spawning this idea (and be sure to check out their downloadable CI to enable BranchCache here).

Now here is where the light bulb moment happened – as I was creating the Configuration Baseline, I happened to notice that they can be comprised of Configuration Items, Software Updates, or other Configuration Baselines. After all, Software Updates are really just CIs. Then I remembered that we can create a collection based on the results of the Configuration Baseline. By creating a collection for your Windows 10 systems – target the Configuration Baseline and SSU to this collection and then target the LCU to the Compliant collection. This way we can be sure that the SSU gets installed before the LCU.

Here is a simple example that you can follow for your environment:

Create a collection called All Windows 10 1709 x64 Clients
I use DDR information for this: select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.OperatingSystemNameandVersion like “Microsoft Windows NT Workstation 10.0%” and SMS_R_System.Build = “10.0.16299”
NOTE: Be careful of “smart quotes” if you are copying and pasting this query.

Make sure you have the latest SSU synchronized in CM. For this example I am using 2018-12 Update for Windows 10 Version 1709 for x64-based Systems (KB4477136).

Create a new Configuration Baseline
Name: Windows 10 1709 x64 SSU
Description: Checks compliance for the Servicing Stack Update KB4477136
Complete the other items like filtering and the option for co-managed clients as required by your environment.

Click the Add button and select Software Updates. Search for KB4477136 and then expand the Name field so that you select the correct update (and check the box next to it in order to select it).

Deploy the Configuration Baseline to the All Windows 1709 x64 Clients collection created in step 1. Pick a schedule that works with your environment.

On the Deployments tab of the Configuration Baseline, right-click and select Create New Collection > Compliant

For the collection name, enter: All Windows 10 1709 x64 SSU Compliant Clients and configure and evaluation schedule that works for your environment.

Run the Configuration Baseline on a client that you know is missing the SSU and it should show up as Non-compliant.

Target the SSU to the All Windows 10 1709 x64 Clients collection, make sure a client updates and then rerun the Configuration Baseline. It should now show as Compliant.

Back in the Configuration Manager Console, after a collection evaluation, the All Windows 10 1709 x64 SSU Compliant collection should now show Win 10 devices that have the SSU installed. You can now use this collection to target the deployment for the LCU.

I am seeing lots of Group policy conflict errors when deploying the baselines to my client devices only, servers seem to be evaluating fine, I am now focusing my efforts on looking at the different GPO’s applied at the OU level, however I was wondering if this was something you have seen before? I am just trying to work out why compliance evaluation would have a GPO conflict?